Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 1 | /* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
| 2 | * Use of this source code is governed by a BSD-style license that can be |
| 3 | * found in the LICENSE file. |
| 4 | * |
| 5 | * Functions for loading a kernel from disk. |
| 6 | * (Firmware portion) |
| 7 | */ |
| 8 | |
| 9 | #include "vboot_kernel.h" |
| 10 | |
| 11 | #include "boot_device.h" |
| 12 | #include "cgptlib.h" |
Bill Richardson | 5deb67f | 2010-07-23 17:22:25 -0700 | [diff] [blame] | 13 | #include "cgptlib_internal.h" |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 14 | #include "load_kernel_fw.h" |
| 15 | #include "rollback_index.h" |
| 16 | #include "utility.h" |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 17 | #include "vboot_common.h" |
| 18 | |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 19 | #define KBUF_SIZE 65536 /* Bytes to read at start of kernel partition */ |
| 20 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 21 | typedef enum BootMode { |
| 22 | kBootNormal, /* Normal firmware */ |
| 23 | kBootDev, /* Dev firmware AND dev switch is on */ |
| 24 | kBootRecovery /* Recovery firmware, regardless of dev switch position */ |
| 25 | } BootMode; |
| 26 | |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 27 | |
| 28 | /* Allocates and reads GPT data from the drive. The sector_bytes and |
| 29 | * drive_sectors fields should be filled on input. The primary and |
| 30 | * secondary header and entries are filled on output. |
| 31 | * |
| 32 | * Returns 0 if successful, 1 if error. */ |
| 33 | int AllocAndReadGptData(GptData* gptdata) { |
| 34 | |
| 35 | uint64_t entries_sectors = TOTAL_ENTRIES_SIZE / gptdata->sector_bytes; |
| 36 | |
| 37 | /* No data to be written yet */ |
| 38 | gptdata->modified = 0; |
| 39 | |
| 40 | /* Allocate all buffers */ |
| 41 | gptdata->primary_header = (uint8_t*)Malloc(gptdata->sector_bytes); |
| 42 | gptdata->secondary_header = (uint8_t*)Malloc(gptdata->sector_bytes); |
| 43 | gptdata->primary_entries = (uint8_t*)Malloc(TOTAL_ENTRIES_SIZE); |
| 44 | gptdata->secondary_entries = (uint8_t*)Malloc(TOTAL_ENTRIES_SIZE); |
| 45 | |
| 46 | if (gptdata->primary_header == NULL || gptdata->secondary_header == NULL || |
| 47 | gptdata->primary_entries == NULL || gptdata->secondary_entries == NULL) |
| 48 | return 1; |
| 49 | |
| 50 | /* Read data from the drive, skipping the protective MBR */ |
| 51 | if (0 != BootDeviceReadLBA(1, 1, gptdata->primary_header)) |
| 52 | return 1; |
| 53 | if (0 != BootDeviceReadLBA(2, entries_sectors, gptdata->primary_entries)) |
| 54 | return 1; |
| 55 | if (0 != BootDeviceReadLBA(gptdata->drive_sectors - entries_sectors - 1, |
| 56 | entries_sectors, gptdata->secondary_entries)) |
| 57 | return 1; |
| 58 | if (0 != BootDeviceReadLBA(gptdata->drive_sectors - 1, |
| 59 | 1, gptdata->secondary_header)) |
| 60 | return 1; |
| 61 | |
| 62 | return 0; |
| 63 | } |
| 64 | |
| 65 | |
| 66 | /* Writes any changes for the GPT data back to the drive, then frees |
| 67 | * the buffers. |
| 68 | * |
| 69 | * Returns 0 if successful, 1 if error. */ |
| 70 | int WriteAndFreeGptData(GptData* gptdata) { |
| 71 | |
| 72 | uint64_t entries_sectors = TOTAL_ENTRIES_SIZE / gptdata->sector_bytes; |
| 73 | |
| 74 | if (gptdata->primary_header) { |
| 75 | if (gptdata->modified & GPT_MODIFIED_HEADER1) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 76 | VBDEBUG(("Updating GPT header 1\n")); |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 77 | if (0 != BootDeviceWriteLBA(1, 1, gptdata->primary_header)) |
| 78 | return 1; |
| 79 | } |
| 80 | Free(gptdata->primary_header); |
| 81 | } |
| 82 | |
| 83 | if (gptdata->primary_entries) { |
| 84 | if (gptdata->modified & GPT_MODIFIED_ENTRIES1) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 85 | VBDEBUG(("Updating GPT entries 1\n")); |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 86 | if (0 != BootDeviceWriteLBA(2, entries_sectors, |
| 87 | gptdata->primary_entries)) |
| 88 | return 1; |
| 89 | } |
| 90 | Free(gptdata->primary_entries); |
| 91 | } |
| 92 | |
| 93 | if (gptdata->secondary_entries) { |
| 94 | if (gptdata->modified & GPT_MODIFIED_ENTRIES2) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 95 | VBDEBUG(("Updating GPT header 2\n")); |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 96 | if (0 != BootDeviceWriteLBA(gptdata->drive_sectors - entries_sectors - 1, |
| 97 | entries_sectors, gptdata->secondary_entries)) |
| 98 | return 1; |
| 99 | } |
| 100 | Free(gptdata->secondary_entries); |
| 101 | } |
| 102 | |
| 103 | if (gptdata->secondary_header) { |
| 104 | if (gptdata->modified & GPT_MODIFIED_HEADER2) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 105 | VBDEBUG(("Updating GPT entries 2\n")); |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 106 | if (0 != BootDeviceWriteLBA(gptdata->drive_sectors - 1, 1, |
| 107 | gptdata->secondary_header)) |
| 108 | return 1; |
| 109 | } |
| 110 | Free(gptdata->secondary_header); |
| 111 | } |
| 112 | |
| 113 | /* Success */ |
| 114 | return 0; |
| 115 | } |
| 116 | |
vbendeb | 3ecaf77 | 2010-06-24 16:19:53 -0700 | [diff] [blame] | 117 | /* disable MSVC warning on const logical expression (as in } while(0);) */ |
| 118 | __pragma(warning(disable: 4127)) |
Randall Spangler | 83c88cf | 2010-06-11 16:14:18 -0700 | [diff] [blame] | 119 | |
Randall Spangler | bd529f0 | 2010-06-16 12:51:26 -0700 | [diff] [blame] | 120 | int LoadKernel(LoadKernelParams* params) { |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 121 | VbNvContext* vnc = params->nv_context; |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 122 | VbPublicKey* kernel_subkey; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 123 | GptData gpt; |
| 124 | uint64_t part_start, part_size; |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 125 | uint64_t blba; |
| 126 | uint64_t kbuf_sectors; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 127 | uint8_t* kbuf = NULL; |
| 128 | int found_partitions = 0; |
| 129 | int good_partition = -1; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 130 | int good_partition_key_block_valid = 0; |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 131 | uint32_t tpm_version = 0; |
| 132 | uint64_t lowest_version = 0xFFFFFFFF; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 133 | int rec_switch, dev_switch; |
| 134 | BootMode boot_mode; |
Randall Spangler | 7a786b7 | 2010-07-08 13:29:42 -0700 | [diff] [blame] | 135 | uint32_t status; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 136 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 137 | /* TODO: differentiate between finding an invalid kernel (found_partitions>0) |
| 138 | * and not finding one at all. Right now we treat them the same, and return |
| 139 | * LOAD_KERNEL_INVALID for both. */ |
| 140 | int retval = LOAD_KERNEL_INVALID; |
| 141 | int recovery = VBNV_RECOVERY_RO_UNSPECIFIED; |
| 142 | |
| 143 | /* Setup NV storage */ |
| 144 | VbNvSetup(vnc); |
| 145 | |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 146 | /* Sanity Checks */ |
| 147 | if (!params || |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 148 | !params->bytes_per_lba || |
| 149 | !params->ending_lba || |
| 150 | !params->kernel_buffer || |
| 151 | !params->kernel_buffer_size) { |
| 152 | VBDEBUG(("LoadKernel() called with invalid params\n")); |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 153 | goto LoadKernelExit; |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 154 | } |
| 155 | |
| 156 | /* Initialization */ |
| 157 | kernel_subkey = (VbPublicKey*)params->header_sign_key_blob; |
| 158 | blba = params->bytes_per_lba; |
| 159 | kbuf_sectors = KBUF_SIZE / blba; |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 160 | if (0 == kbuf_sectors) { |
| 161 | VBDEBUG(("LoadKernel() called with sector size > KBUF_SIZE\n")); |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 162 | goto LoadKernelExit; |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 163 | } |
| 164 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 165 | rec_switch = (BOOT_FLAG_RECOVERY & params->boot_flags ? 1 : 0); |
| 166 | dev_switch = (BOOT_FLAG_DEVELOPER & params->boot_flags ? 1 : 0); |
| 167 | |
| 168 | if (rec_switch) |
| 169 | boot_mode = kBootRecovery; |
| 170 | else if (BOOT_FLAG_DEV_FIRMWARE & params->boot_flags) |
| 171 | if (!dev_switch) { |
| 172 | /* Dev firmware should be signed such that it never boots with the dev |
| 173 | * switch is off; so something is terribly wrong. */ |
| 174 | VBDEBUG(("LoadKernel() called with dev firmware but dev switch off\n")); |
| 175 | recovery = VBNV_RECOVERY_RW_DEV_MISMATCH; |
| 176 | goto LoadKernelExit; |
| 177 | } |
| 178 | boot_mode = kBootDev; |
| 179 | else { |
| 180 | /* Normal firmware */ |
| 181 | boot_mode = kBootNormal; |
| 182 | dev_switch = 0; /* Always do a fully verified boot */ |
Randall Spangler | a8e0f94 | 2011-02-14 11:12:09 -0800 | [diff] [blame] | 183 | } |
Bill Richardson | e272940 | 2010-07-22 12:23:47 -0700 | [diff] [blame] | 184 | |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 185 | /* Clear output params in case we fail */ |
| 186 | params->partition_number = 0; |
| 187 | params->bootloader_address = 0; |
| 188 | params->bootloader_size = 0; |
| 189 | |
Randall Spangler | 63dffcb | 2010-08-05 15:13:14 -0700 | [diff] [blame] | 190 | /* Let the TPM know if we're in recovery mode */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 191 | if (kBootRecovery == boot_mode) { |
| 192 | if (0 != RollbackKernelRecovery(dev_switch)) { |
Randall Spangler | 63dffcb | 2010-08-05 15:13:14 -0700 | [diff] [blame] | 193 | VBDEBUG(("Error setting up TPM for recovery kernel\n")); |
| 194 | /* Ignore return code, since we need to boot recovery mode to |
| 195 | * fix the TPM. */ |
Randall Spangler | 1078838 | 2010-06-23 15:35:31 -0700 | [diff] [blame] | 196 | } |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 197 | } else { |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 198 | /* Read current kernel key index from TPM. Assumes TPM is already |
| 199 | * initialized. */ |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 200 | status = RollbackKernelRead(&tpm_version); |
Randall Spangler | 7a786b7 | 2010-07-08 13:29:42 -0700 | [diff] [blame] | 201 | if (0 != status) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 202 | VBDEBUG(("Unable to get kernel versions from TPM\n")); |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 203 | if (status == TPM_E_MUST_REBOOT) |
| 204 | retval = LOAD_KERNEL_REBOOT; |
| 205 | else |
| 206 | recovery = VBNV_RECOVERY_RW_TPM_ERROR; |
| 207 | goto LoadKernelExit; |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 208 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 209 | } |
| 210 | |
| 211 | do { |
| 212 | /* Read GPT data */ |
Randall Spangler | beb5bae | 2010-06-21 16:33:26 -0700 | [diff] [blame] | 213 | gpt.sector_bytes = (uint32_t)blba; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 214 | gpt.drive_sectors = params->ending_lba + 1; |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 215 | if (0 != AllocAndReadGptData(&gpt)) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 216 | VBDEBUG(("Unable to read GPT data\n")); |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 217 | break; |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 218 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 219 | |
| 220 | /* Initialize GPT library */ |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 221 | if (GPT_SUCCESS != GptInit(&gpt)) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 222 | VBDEBUG(("Error parsing GPT\n")); |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 223 | break; |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 224 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 225 | |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 226 | /* Allocate kernel header buffers */ |
| 227 | kbuf = (uint8_t*)Malloc(KBUF_SIZE); |
| 228 | if (!kbuf) |
| 229 | break; |
| 230 | |
| 231 | /* Loop over candidate kernel partitions */ |
| 232 | while (GPT_SUCCESS == GptNextKernelEntry(&gpt, &part_start, &part_size)) { |
| 233 | VbKeyBlockHeader* key_block; |
| 234 | VbKernelPreambleHeader* preamble; |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 235 | RSAPublicKey* data_key = NULL; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 236 | uint64_t key_version; |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 237 | uint64_t combined_version; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 238 | uint64_t body_offset; |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 239 | uint64_t body_offset_sectors; |
| 240 | uint64_t body_sectors; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 241 | int key_block_valid = 1; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 242 | |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 243 | VBDEBUG(("Found kernel entry at %" PRIu64 " size %" PRIu64 "\n", |
| 244 | part_start, part_size)); |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 245 | |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 246 | /* Found at least one kernel partition. */ |
| 247 | found_partitions++; |
| 248 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 249 | /* Read the first part of the kernel partition. */ |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 250 | if (part_size < kbuf_sectors) { |
| 251 | VBDEBUG(("Partition too small to hold kernel.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 252 | goto bad_kernel; |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 253 | } |
| 254 | |
| 255 | if (0 != BootDeviceReadLBA(part_start, kbuf_sectors, kbuf)) { |
| 256 | VBDEBUG(("Unable to read start of partition.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 257 | goto bad_kernel; |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 258 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 259 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 260 | /* Verify the key block. */ |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 261 | key_block = (VbKeyBlockHeader*)kbuf; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 262 | if (0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey, 0)) { |
| 263 | VBDEBUG(("Verifying key block signature failed.\n")); |
| 264 | key_block_valid = 0; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 265 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 266 | /* If we're not in developer mode, this kernel is bad. */ |
| 267 | if (kBootDev != boot_mode) |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 268 | goto bad_kernel; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 269 | |
| 270 | /* In developer mode, we can continue if the SHA-512 hash of the key |
| 271 | * block is valid. */ |
| 272 | if (0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey, 1)) { |
| 273 | VBDEBUG(("Verifying key block hash failed.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 274 | goto bad_kernel; |
Randall Spangler | ae029d9 | 2010-07-19 18:26:35 -0700 | [diff] [blame] | 275 | } |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 276 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 277 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 278 | /* Check the key block flags against the current boot mode. */ |
| 279 | if (!(key_block->key_block_flags & |
| 280 | (dev_switch ? KEY_BLOCK_FLAG_DEVELOPER_1 : |
| 281 | KEY_BLOCK_FLAG_DEVELOPER_0))) { |
| 282 | VBDEBUG(("Key block developer flag mismatch.\n")); |
| 283 | key_block_valid = 0; |
| 284 | } |
| 285 | if (!(key_block->key_block_flags & |
| 286 | (rec_switch ? KEY_BLOCK_FLAG_RECOVERY_1 : |
| 287 | KEY_BLOCK_FLAG_RECOVERY_0))) { |
| 288 | VBDEBUG(("Key block recovery flag mismatch.\n")); |
| 289 | key_block_valid = 0; |
| 290 | } |
| 291 | |
| 292 | /* Check for rollback of key version except in recovery mode. */ |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 293 | key_version = key_block->data_key.key_version; |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 294 | if (kBootRecovery != boot_mode) { |
| 295 | if (key_version < (tpm_version >> 16)) { |
| 296 | VBDEBUG(("Key version too old.\n")); |
| 297 | key_block_valid = 0; |
| 298 | } |
| 299 | } |
| 300 | |
| 301 | /* If we're not in developer mode, require the key block to be valid. */ |
| 302 | if (kBootDev != boot_mode && !key_block_valid) { |
| 303 | VBDEBUG(("Key block is invalid.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 304 | goto bad_kernel; |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 305 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 306 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 307 | /* Get the key for preamble/data verification from the key block. */ |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 308 | data_key = PublicKeyToRSA(&key_block->data_key); |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 309 | if (!data_key) { |
| 310 | VBDEBUG(("Data key bad.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 311 | goto bad_kernel; |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 312 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 313 | |
| 314 | /* Verify the preamble, which follows the key block */ |
| 315 | preamble = (VbKernelPreambleHeader*)(kbuf + key_block->key_block_size); |
Randall Spangler | 87c13d8 | 2010-07-19 10:35:40 -0700 | [diff] [blame] | 316 | if ((0 != VerifyKernelPreamble(preamble, |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 317 | KBUF_SIZE - key_block->key_block_size, |
| 318 | data_key))) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 319 | VBDEBUG(("Preamble verification failed.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 320 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 321 | } |
| 322 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 323 | /* If the key block is valid and we're not in recovery mode, check for |
| 324 | * rollback of the kernel version. */ |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 325 | combined_version = ((key_version << 16) | |
| 326 | (preamble->kernel_version & 0xFFFF)); |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 327 | if (key_block_valid && kBootRecovery != boot_mode) { |
| 328 | if (combined_version < tpm_version) { |
| 329 | VBDEBUG(("Kernel version too low.\n")); |
| 330 | /* If we're not in developer mode, kernel version must be valid. */ |
| 331 | if (kBootDev != boot_mode) |
| 332 | goto bad_kernel; |
| 333 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 334 | } |
| 335 | |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 336 | VBDEBUG(("Kernel preamble is good.\n")); |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 337 | |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 338 | /* Check for lowest version from a valid header. */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 339 | if (key_block_valid && lowest_version > combined_version) |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 340 | lowest_version = combined_version; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 341 | |
| 342 | /* If we already have a good kernel, no need to read another |
| 343 | * one; we only needed to look at the versions to check for |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 344 | * rollback. So skip to the next kernel preamble. */ |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 345 | if (-1 != good_partition) |
Randall Spangler | 77ae389 | 2010-09-09 17:37:51 -0700 | [diff] [blame] | 346 | continue; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 347 | |
| 348 | /* Verify body load address matches what we expect */ |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 349 | if ((preamble->body_load_address != (size_t)params->kernel_buffer) && |
| 350 | !(params->boot_flags & BOOT_FLAG_SKIP_ADDR_CHECK)) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 351 | VBDEBUG(("Wrong body load address.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 352 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 353 | } |
| 354 | |
| 355 | /* Verify kernel body starts at a multiple of the sector size. */ |
| 356 | body_offset = key_block->key_block_size + preamble->preamble_size; |
| 357 | if (0 != body_offset % blba) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 358 | VBDEBUG(("Kernel body not at multiple of sector size.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 359 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 360 | } |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 361 | body_offset_sectors = body_offset / blba; |
| 362 | |
| 363 | /* Verify kernel body fits in the buffer */ |
| 364 | body_sectors = (preamble->body_signature.data_size + blba - 1) / blba; |
| 365 | if (body_sectors * blba > params->kernel_buffer_size) { |
| 366 | VBDEBUG(("Kernel body doesn't fit in memory.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 367 | goto bad_kernel; |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 368 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 369 | |
| 370 | /* Verify kernel body fits in the partition */ |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 371 | if (body_offset_sectors + body_sectors > part_size) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 372 | VBDEBUG(("Kernel body doesn't fit in partition.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 373 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 374 | } |
| 375 | |
| 376 | /* Read the kernel data */ |
Randall Spangler | 6078ca3 | 2010-10-18 15:49:28 -0700 | [diff] [blame] | 377 | VBPERFSTART("VB_RKD"); |
Randall Spangler | 4bb5e4b | 2010-08-19 09:05:22 -0700 | [diff] [blame] | 378 | if (0 != BootDeviceReadLBA(part_start + body_offset_sectors, |
| 379 | body_sectors, |
| 380 | params->kernel_buffer)) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 381 | VBDEBUG(("Unable to read kernel data.\n")); |
Randall Spangler | 6078ca3 | 2010-10-18 15:49:28 -0700 | [diff] [blame] | 382 | VBPERFEND("VB_RKD"); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 383 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 384 | } |
Randall Spangler | 6078ca3 | 2010-10-18 15:49:28 -0700 | [diff] [blame] | 385 | VBPERFEND("VB_RKD"); |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 386 | |
| 387 | /* Verify kernel data */ |
| 388 | if (0 != VerifyData((const uint8_t*)params->kernel_buffer, |
Randall Spangler | 87c13d8 | 2010-07-19 10:35:40 -0700 | [diff] [blame] | 389 | params->kernel_buffer_size, |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 390 | &preamble->body_signature, data_key)) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 391 | VBDEBUG(("Kernel data verification failed.\n")); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 392 | goto bad_kernel; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 393 | } |
| 394 | |
| 395 | /* Done with the kernel signing key, so can free it now */ |
| 396 | RSAPublicKeyFree(data_key); |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 397 | data_key = NULL; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 398 | |
| 399 | /* If we're still here, the kernel is valid. */ |
| 400 | /* Save the first good partition we find; that's the one we'll boot */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 401 | VBDEBUG(("Partition is good.\n")); |
| 402 | good_partition_key_block_valid = key_block_valid; |
Randall Spangler | beb5bae | 2010-06-21 16:33:26 -0700 | [diff] [blame] | 403 | /* TODO: GPT partitions start at 1, but cgptlib starts them at 0. |
| 404 | * Adjust here, until cgptlib is fixed. */ |
| 405 | good_partition = gpt.current_kernel + 1; |
Randall Spangler | b9d60a5 | 2010-06-23 12:43:01 -0700 | [diff] [blame] | 406 | params->partition_number = gpt.current_kernel + 1; |
Bill Richardson | 5deb67f | 2010-07-23 17:22:25 -0700 | [diff] [blame] | 407 | GetCurrentKernelUniqueGuid(&gpt, ¶ms->partition_guid); |
Randall Spangler | 63dffcb | 2010-08-05 15:13:14 -0700 | [diff] [blame] | 408 | /* TODO: GetCurrentKernelUniqueGuid() should take a destination size, or |
| 409 | * the dest should be a struct, so we know it's big enough. */ |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 410 | params->bootloader_address = preamble->bootloader_address; |
| 411 | params->bootloader_size = preamble->bootloader_size; |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 412 | |
| 413 | /* Update GPT to note this is the kernel we're trying */ |
| 414 | GptUpdateKernelEntry(&gpt, GPT_UPDATE_ENTRY_TRY); |
| 415 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 416 | /* If we're in recovery mode or we're about to boot a dev-signed kernel, |
| 417 | * there's no rollback protection, so we can stop at the first valid |
| 418 | * kernel. */ |
| 419 | if (kBootRecovery == boot_mode || !key_block_valid) { |
| 420 | VBDEBUG(("In recovery mode or dev-signed kernel\n")); |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 421 | break; |
Randall Spangler | beb5bae | 2010-06-21 16:33:26 -0700 | [diff] [blame] | 422 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 423 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 424 | /* Otherwise, we do care about the key index in the TPM. If the good |
| 425 | * partition's key version is the same as the tpm, then the TPM doesn't |
| 426 | * need updating; we can stop now. Otherwise, we'll check all the other |
| 427 | * headers to see if they contain a newer key. */ |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 428 | if (combined_version == tpm_version) { |
| 429 | VBDEBUG(("Same kernel version\n")); |
Randall Spangler | 695cd16 | 2010-06-15 23:38:23 -0700 | [diff] [blame] | 430 | break; |
Randall Spangler | beb5bae | 2010-06-21 16:33:26 -0700 | [diff] [blame] | 431 | } |
Randall Spangler | 741d2b2 | 2010-08-20 16:37:12 -0700 | [diff] [blame] | 432 | |
| 433 | /* Continue, so that we skip the error handling code below */ |
| 434 | continue; |
| 435 | |
| 436 | bad_kernel: |
| 437 | /* Handle errors parsing this kernel */ |
| 438 | if (NULL != data_key) |
| 439 | RSAPublicKeyFree(data_key); |
| 440 | |
| 441 | VBDEBUG(("Marking kernel as invalid.\n")); |
| 442 | GptUpdateKernelEntry(&gpt, GPT_UPDATE_ENTRY_BAD); |
| 443 | |
| 444 | |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 445 | } /* while(GptNextKernelEntry) */ |
| 446 | } while(0); |
| 447 | |
| 448 | /* Free kernel buffer */ |
| 449 | if (kbuf) |
| 450 | Free(kbuf); |
| 451 | |
| 452 | /* Write and free GPT data */ |
| 453 | WriteAndFreeGptData(&gpt); |
| 454 | |
| 455 | /* Handle finding a good partition */ |
| 456 | if (good_partition >= 0) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 457 | VBDEBUG(("Good_partition >= 0\n")); |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 458 | |
| 459 | /* See if we need to update the TPM */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 460 | if (kBootRecovery != boot_mode) { |
| 461 | /* We only update the TPM in normal and developer boot modes. In |
| 462 | * developer mode, we only advanced lowest_version for kernels with valid |
| 463 | * key blocks, and didn't count self-signed key blocks. In recovery |
| 464 | * mode, the TPM stays PP-unlocked, so anything we write gets blown away |
| 465 | * by the firmware when we go back to normal mode. */ |
| 466 | VBDEBUG(("Boot_flags = not recovery\n")); |
Randall Spangler | 6668028 | 2010-08-16 12:33:44 -0700 | [diff] [blame] | 467 | if (lowest_version > tpm_version) { |
| 468 | status = RollbackKernelWrite((uint32_t)lowest_version); |
Randall Spangler | 7a786b7 | 2010-07-08 13:29:42 -0700 | [diff] [blame] | 469 | if (0 != status) { |
Randall Spangler | e2ec984 | 2010-06-23 21:17:07 -0700 | [diff] [blame] | 470 | VBDEBUG(("Error writing kernel versions to TPM.\n")); |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 471 | if (status == TPM_E_MUST_REBOOT) |
| 472 | retval = LOAD_KERNEL_REBOOT; |
| 473 | else |
| 474 | recovery = VBNV_RECOVERY_RW_TPM_ERROR; |
| 475 | goto LoadKernelExit; |
Randall Spangler | 1078838 | 2010-06-23 15:35:31 -0700 | [diff] [blame] | 476 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 477 | } |
| 478 | } |
| 479 | |
Randall Spangler | 63dffcb | 2010-08-05 15:13:14 -0700 | [diff] [blame] | 480 | /* Lock the kernel versions */ |
| 481 | status = RollbackKernelLock(); |
| 482 | if (0 != status) { |
| 483 | VBDEBUG(("Error locking kernel versions.\n")); |
| 484 | /* Don't reboot to recovery mode if we're already there */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 485 | if (kBootRecovery != boot_mode) { |
| 486 | if (status == TPM_E_MUST_REBOOT) |
| 487 | retval = LOAD_KERNEL_REBOOT; |
| 488 | else |
| 489 | recovery = VBNV_RECOVERY_RW_TPM_ERROR; |
| 490 | goto LoadKernelExit; |
| 491 | } |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 492 | } |
| 493 | |
| 494 | /* Success! */ |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 495 | retval = LOAD_KERNEL_SUCCESS; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 496 | } |
| 497 | |
Randall Spangler | 640fb51 | 2011-03-03 10:11:17 -0800 | [diff] [blame^] | 498 | LoadKernelExit: |
| 499 | |
| 500 | /* Save whether the good partition's key block was fully verified */ |
| 501 | VbNvSet(vnc, VBNV_FW_VERIFIED_KERNEL_KEY, good_partition_key_block_valid); |
| 502 | |
| 503 | /* Store recovery request, if any, then tear down non-volatile storage */ |
| 504 | VbNvSet(vnc, VBNV_RECOVERY_REQUEST, LOAD_KERNEL_RECOVERY == retval ? |
| 505 | recovery : VBNV_RECOVERY_NOT_REQUESTED); |
| 506 | VbNvTeardown(vnc); |
| 507 | |
| 508 | return retval; |
Randall Spangler | d183644 | 2010-06-10 09:59:04 -0700 | [diff] [blame] | 509 | } |